Isolating Processes using Docker User Namespaces and Seccomp 4 - - PowerPoint PPT Presentation

Isolating Processes using Docker User Namespaces and Seccomp 4 October 2016

Paul Novarese Technical Account Manager Docker, Inc. pvn@docker.com @pvn

2

Agenda

• Preliminaries
• Container Security Considerations
• Containment
• Namespaces
• What is Seccomp?
• Demos?

3

4

The Iceberg

(Work by Uwe Kils) http://www.ecoscope.com/iceberg/

Your code Your vendor’s code

5

Containment

• namespaces -> what you can see
• cgroups -> what you can use
• seccomp -> what you can do

6

Containment

...applications deployed in containers are more secure than applications deployed on the bare OS because even if a container is cracked they greatly limit the damage of a successful compromise...

https://www.gartner.com/doc/3375717/secure-docker-containers-operation

7

Namespaces

https://www.flickr.com/photos/arthurtlabar/4275756092/

8

Namespaces

9

Namespaces

10

Enabling userns remapping

11

seccomp

Photo Credit: Institute for a Resource-Based Economy (IRBE) https://www.flickr.com/photos/toollibrary/14427641289

12

seccomp profiles

13

How do I get it?

• You already have it!
• Default profile has been applied to containers since engine 1.10
• For custom profiles, pass --security-opt option on the command line.

14

The Iceberg (again)

(Work by Uwe Kils) http://www.ecoscope.com/iceberg/

15

ENOUGH TALKING

LETTUCE DEMO

16

Demo?

• A DIY demo is available
• https://twitter.com/pvn (it will be the pinned tweet)
• If you’re reading this in the distant future and I’ve unpinned the tweet,

try this URL instead:

https://github.com/pvnovarese/2016-08-ContainerCon-Berlin/blob/master/README.md

Further Reading, References, etc

• The definitive presentation on userns support:

https://events.linuxfoundation.org/sites/events/files/slides/User%20Namespaces%20-%20ContainerCon%202015%20-%2016-9-final_0.pdf

• Default seccomp profile:

https://github.com/docker/docker/blob/master/profiles/seccomp/default.json

• Seccomp docs:

https://github.com/docker/docker/blob/master/docs/security/seccomp.md

• Security non-events:

https://docs.docker.com/engine/security/non-events/

• Gartner Report: How to Secure Docker Containers in Operation

https://www.gartner.com/doc/3375717/secure-docker-containers-operation

• Your Software is Safer in Docker Containers:

https://blog.docker.com/2016/08/software-security-docker-containers/

Booth D38 @ LinuxCon + ContainerCon

Tues Oct 4th

• Build Distributed Systems without Docker, using Docker Plumbing Projects - Patrick Chanezon, David Chung

and Captain Phil Estes

• Getting Started with Docker Services - Mike Goelzer
• Swarmkit: Docker’s Simplified Model for Complex Orchestration - Stephen Day
• User Namespace and Seccomp Support in Docker Engine - Paul Novarese
• Build Efficient Parallel Testing Systems with Docker - Docker Captain Laura Frank

Wed Oct 5th

• How Secure is your Container? A Docker Engine Security Update - Phil Estes
• Docker Orchestration: Beyond the Basics - Aaron Lehmann
• When the Going gets Tough, get TUF Going - Riyaz Faizullabhoy and Lily Guo

Thurs Oct 6th

• Orchestrating Linux Containers while Tolerating Failures - Drew Erny
• Unikernels: When you Should and When you Shouldn’t - Amir Chaudhry
• Berlin Docker Meetup

Friday Oct 7th

• Tutorial: Comparing Container Orchestration Tools - Neependra Khare
• Tutorial: Orchestrate Containers in Production at Scale with Docker Swarm - Jerome Petazzoni

Photo credits (all creative commons licensed)

• Iceberg http://www.ecoscope.com/iceberg/
• Horses https://www.flickr.com/photos/arthurtlabar/4275756092/
• Catan https://www.flickr.com/photos/bods/6120445526/
• Workbench https://www.flickr.com/photos/toollibrary/14427641289
• memegenerator.net obv